We have a cisco 5510 connected to a LAN segment with a cisco 6500 and multiple vlan's. and using Class B address range.
We have a NAT device (Non-cisco product ) on top of the Cisco ASA-5510 handling all the static and Dynamic NAT.
We have lots of internet users and about 50-60 servers all in the Lan segment.
since the ASA is not doing the NAT i can use
nat (inside) 0 172.16.0.0 255.255.0.0
to exempt all traffic from NAT right??
but when i do this i am having issues accessing a few servers from the outside that have been Static NAT on my NAT device. ( this is the problem only with few servers, all others are fine and normal internet users also have no issues to the best of my knowledge).
the reason is that nat0() will only work from inside to outside. When an inside-server opens a connection to outside, the asa "knows" the server and have an entry in the NAT table.
If the server do not access the outside world, the asa do not "know" the server.
Your static NAT make a permanent entry into the NAT table.
I had this Problem with a client, that wanted to use public IPs inside the ASA. Only when the server has opened a connection an inbound connection was successful. With the "fake" NAT everything is fine.
Unfortunately it's not that simple. While the configurations are similar in the sense that they can both perform NAT exemption, identity NAT (via a static) enters a permanent entry in the xlate table whereas the NAT 0 does not create an entry in the xlate table but DOES add entries to the NAT table from the interface listed in the nat 0 command to all equal or lower security level interfaces.
Your assumptions are incorrect...at least partially. The Cisco documentation ( the Cisco ASA and PIX Firewall Handbook) states that with a nat 0 configuration, traffic must be initiated from the higher security level interface before traffic will be allowed in from the lower security level interface. It goes in to state that identity NAT via a static is bidirectional and traffic can be initiated from either interface. This is true for SOME code versions but not all. In 8.2(2), both nat 0 and identity nat are bidirectional and function identically.
Now, one key difference between these two (which sounds related to you scenario) is the order in which they are processed. nat 0 is processed before all static nat entries. Static nat is processed in the order in which the entries are added.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...